Set Up a Basic Iptables Firewall on Amazon Linux AMI

last updated in Categories , , , ,

How do I set up a basic iptables firewall on Amazon Linux AMI running on EC2 or Lightsail instance?

AWS (Amazon Web Services) has its own Linux distribution called Amazon Linux AMI. It is chiefly binary compatible with CentOS Linux, with all necessary packages updated to the latest version. This page explains how to set up a basic iptables based firewall on Amazon Linux.

How To Set Up a Basic Iptables Firewall on Amazon Linux AMI

The procedure for setting up a basic firewall on Amazon Linux AMI is as follows:

  1. Login to your Lightsail/EC2 instance using ssh command.
  2. Switch to the root user by typing sudo -i command.
  3. Create a file named /etc/sysconfig/iptables
  4. Open or close ports and other options as per your needs
  5. Enable the iptables at boot time, execute: sudo chkconfig iptables on
  6. Start the iptables service, run: sudo service iptables start

Do I genuinely need iptables based firewall settings for EC2 and Lightsail instance powered by Amazon Linux AMI?

The short answer is it depends upon your needs.

Long answer: Both EC2 and Lightsail VM come with a cloud-based firewall. When you create an AWS Lightsail instance/VM, some network ports are open by default. When a port is open, your instance can accept public network connections. For example, you can either open port 22 or close port 22, but you can not specify the source IP address to control access ssh port 22 or any other ports. However, the EC2 firewall allows us to set up a source or destination for the traffic. Here is a sample from Lightsail instance firewall settings:

Firewall settings in Amazon Lightsail For Amazon Linux AMI
You can change the network port settings for your Lightsail instance on the Networking tab of your instance management page.

As you can see, the firewall is minimal and does not provide an option to set up the source or destination IP address for Lightsail instances. Therefore, setting up a basic iptables is a good idea on Amazon Linux AMI.

Sample /etc/sysconfig/iptables

Type the following command:
sudo vi /etc/sysconfig/iptables
Append the following:

*filter
 
# Deny all inbound traffic
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
 
# Accept all outbound traffic
:OUTPUT ACCEPT [0:0]
 
# Accept already connected sessions
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Accept all loopback 
-A INPUT -i lo -j ACCEPT
 
# Open https/http port from anywhere
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
 
# Accept ssh port from anywhere
# -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
 
# Accept ssh port from only your static IP address such as 1.2.3.4
-A INPUT -m state --state NEW -m tcp -p tcp -s 1.2.3.4 --dport 22 -j ACCEPT
# Multiple IPs are also allowed 
-A INPUT -m state --state NEW -m tcp -p tcp -s 202.53.1.2,93.1.2.3 --dport 22 -j ACCEPT
 
# Deny from specific IP address 
#-A INPUT -m state --state NEW -s 1.2.3.4 -j DROP
 
COMMIT

Enable iptables service

Run the following chkconfig command:
sudo chkconfig iptables on

Start iptables service

Execute the following service command to start iptables service on Amazon Linux AMI:
sudo service iptables start

List iptables rules on Amazon Linux AMI

sudo iptables -S
sudo iptables --list
sudo iptables -L
sudo iptables -L -n -v
sudo iptables -L -n -v --line-numbers
sudo iptables -S TABLE_NAME
sudo iptables --table NameHere --list
sudo iptables -t NameHere -L -n -v --line-numbers

How To Set Up a Basic Iptables Firewall on Amazon Linux AMI

A note about IPv6 firewall for Amazon Linux AMI

Please note that we learned about IPv4 security. In Amazon Linux AMI, IPv6 security is maintained separately from IPv4 using a file named /etc/sysconfig/ip6tables:
sudo vi /etc/sysconfig/ip6tables
Append the following config:

*filter
 
# Set default chain policies
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:100]
 
# Accepts ongoing traffic for any existing connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# Accept all ICMP packets
-A INPUT -p ipv6-icmp -j ACCEPT
 
# Accept all traffic from/to loopback interface
-A INPUT -i lo -j ACCEPT
 
# Accept DHCPv6 traffic
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
 
# Custom rules go here
# Open port 80, 443 and 22 for IPv6
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
 
# Drop everything else 
# We reject all traffic that didn't match a rule, using "port unreachable"
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
 
COMMIT

Save and close the file in vim. Turn on ip6tables service and start it:
sudo chkconfig ip6tables on
sudo service ip6tables start

List rules:
sudo ip6tables -L -n -v --line-numbers
sudo ip6tables -L -n -v
sudo ip6tables -S

Set Up a Basic Ip6tables Firewall on Amazon Linux AMI

Conclusion

This page explained how to set up a basic IPv4 and IPv6 iptables firewall for Amazon Linux AMI. Even though Amazon offers a cloud-based firewall, it is a good idea to set up a default firewall to avoid accidental exposure of ports and services to the Internet. Of course, this is not a complete tutorial as we only covered basic stuff. Please see the following links for more info:

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Start the discussion at www.nixcraft.com